For GETELEM/SETELEM we must check that its a native object first before trying to compare the objects shape to the shape of the global object to ensure its not aliasing the global object (457979, r=shaver).
For GETELEM/SETELEM we must check that its a native object first before trying to compare the objects shape to the shape of the global object to ensure its not aliasing the global object (457979, r=shaver).
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -3886,25 +3886,25 @@ TraceRecorder::guardDenseArrayIndex(JSOb
* One win here is that we do not need to generate a guard that obj_ins does
* not result in the global object on trace, because we guard on shape and rule
* out obj's shape being the global object's shape at recording time. This is
* safe because the global shape cannot change on trace.
*/
bool
TraceRecorder::guardElemOp(JSObject* obj, LIns* obj_ins, jsid id, size_t op_offset, jsval* vp)
{
- uint32 shape = OBJ_SHAPE(obj);
- if (JSID_IS_ATOM(id) && shape == traceMonitor->globalShape)
- ABORT_TRACE("elem op probably aliases global");
-
LIns* map_ins = lir->insLoad(LIR_ldp, obj_ins, (int)offsetof(JSObject, map));
LIns* ops_ins;
if (!map_is_native(obj->map, map_ins, ops_ins, op_offset))
return false;
+ uint32 shape = OBJ_SHAPE(obj);
+ if (JSID_IS_ATOM(id) && shape == traceMonitor->globalShape)
+ ABORT_TRACE("elem op probably aliases global");
+
JSObject* pobj;
JSProperty* prop;
if (!js_LookupProperty(cx, obj, id, &pobj, &prop))
return false;
if (vp)
*vp = JSVAL_VOID;
if (prop) {